Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University

Tentative syllabus Program Verification Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR 2

Previously Basic notions of correctness Formalizing Hoare triples FO logic – Free variables – Substitutions Hoare logic rules 3

Warm-up exercises 1.Define program state: 2.Define state predicate: 3.Define   P 4.Formalize {P} C {Q} via structural semantics: 5.FV(  m. x=k+1  0  m  x-1  nums(m)  res ) = { } 6.(  m. x=k+1  0  m  x-1  nums(m)  res )[x+1/x] = 4

Inference system Annotating programs with proofs Properties of the semantics Predicate transformer calculus – Weakest precondition calculus – Strongest postcondition calculus 5 Chapter 6 Agenda

Axiomatic semantics as an inference system 6

Inference trees Trees describing rule applications that ultimately prove a program correct Leaves are axiom applications Internal nodes correspond to rule applications over triples inferred from sub-trees Inference tree is called – Simple if tree is only an axiom – Composite otherwise 7

Factorial proof inference tree 8 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W { x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } {x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W {y=n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) {y=n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } will show later

Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } – Are inference trees unique? {true} x:=1; x:=x+5 {x  0} Proving properties of axiomatic semantics by induction on the shape of the inference tree – Example: prove  p { P } C { true } for any P and C 9 Where does the non-determinism come from?

Annotating programs with proofs 10

Annotated programs A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code”proof carrying code – Going from annotated program to proof tree is a linear time translation 11

Annotating composition We can inline inference trees into programs Using proof equivalence of S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 instead of writing deep trees, e.g., 12 {P} (S 1 ; S 2 ); (S 3 ; S 4 ) {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} (S 3 ; S 4 ) {Q} {P} S 1 {P’} {P’} S 2 {P’’}{P’’} S 3 {P’’’} {P’’’} S 4 {P’’} We can annotate a composition S 1 ; S 2 ;…; S n by {P 1 } S 1 {P 2 } S 2 … {P n-1 } S n-1 {P n }

Annotating conditions 13 { P } if b then { b  P } S 1 else {  b  P } S 2 { Q }

Annotating conditions 14 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q } { b  P } S 1 { Q 1 } {  b  P } S 2 { Q 2 } { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] [cons]

Annotating loops 15 { P } while b do { b  P } S {  b  P }

Annotating loops 16 { P } while b do { b  P } S { P’ } {  b  P } { Q } P’ implies P  b  P implies Q

Annotating loops 17 { P } while b do { b  P } S {  b  P } Source of confusion

Annotating loops – alternative 1 18 while { P } b do { b  P } S {  b  P }

Annotating loops – alternative 2 19 Inv = { P } while b do { b  P } S {  b  P } We will take this alternative in our examples and homework assignments

Annotating formula transformations We often rewrite formulas – To make proofs more readable – Using logical/mathematical identities – Imported mathematical theorems 20 {  } {  ’ } // transformation 1 {  ’’ } // transformation 2

Exercising Hoare logic 21

Exercise 1: variable swap – specify 22 { ? } t := x x := y y := t { ? }

Exercise 1: Prove using Hoare logic 23 { y=b  x=a } t := x { ? } x := y { ? } y := t { x=b  y=a }

Exercise 1: Prove using Hoare logic 24 { y=b  x=a } t := x { y=b  t=a } x := y { x=b  t=a } y := t { x=b  y=a }

Absolute value program 25 if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about

Absolute value program – specify 26 { ? } if x<0 then x := -x else skip { ? }

Absolute value program – specify 27 { x=v } if x<0 then x := -x else skip { x=|v| }

Exercise 2: Prove using Hoare logic 28 { x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }

Exercise 2: Prove using Hoare logic 29 { x=v } { (-x=|v|  x<0)  (x=|v|  x  0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }

Annotated programs: factorial 30 { x=n } y := 1; Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { y*x!=n!  n>0 } Contrast with proof via structural semantics Where did the inductive argument over loop iterations go?

Detailed proof steps 31 { x=n } y := 1; { x=n  y=1 } Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x  1  (x>0  y*x!=n!  n  x) } => ? { x>1  y*x!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { x>0  y*x!=n!  n  x } { y*x!=n!  n>0 }

Detailed proof of implication 32 { x  1  (x>0  y*x!=n!  n  x) } => relax inequality { x  1  (x>0  y*x!=n!  n  (x-1)) } => use logical identity A  B equals  A  B { x  1  (x  0  y*x!=n!  n  (x-1)) } => distribute  over  {(x  1  x  0)  (x  1  y*x!=n!  n  (x-1)) } => x  0 subsumes x  1  x  0 { x  0  (x  1  y*x!=n!  n  (x-1)) } => weaken conjunction by removing x  1 { x  0  (y*x!=n!  n  (x-1)) } => relax x  0 into x  1 { x  1  (y*x!=n!  n  (x-1)) } => use logical identity A  B equals  A  B { x  1  (x  1  y*x!=n!  n  (x-1))} write x  1 as x>1 { x>1  y*x!=n!  n  (x-1) }

Properties of the semantics 33

Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? 34 Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove?

Provable equivalence We say that C 1 and C 2 are provably equivalent if for all P and Q  p { P } C 1 { Q } if and only if  p { P } C 2 { Q } Examples: – S; skip and S – S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 35

S 1 ; (S 2 ; S 3 ) is provably equivalent to (S 1 ; S 2 ); S 3 36 {P} S 1 ; (S 2 ; S 3 ) {Q} {P} S 1 {P’} {P’} (S 2 ; S 3 ) {Q} {P’} S 2 {P’’} {P’’} S 3 {Q} {P} (S 1 ; S 2 ); S 3 {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} S 3 {Q} {P} S 1 {P’} {P’} S 2 {P’’}

Valid assertions We say that { P } C { Q } is valid if for all states , if   P and  C,   1 *  ’ then  ’  Q Denoted by  p { P } C { Q } 37 P C(P)C(P) Q  ’’ C

Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } Is Hoare logic sound? yes Is Hoare logic complete? depends 38

Weakest precondition calculus 39

From inference to calculus A Hoare-style proof is declarative – You can check that a proof is correct – Check is decidable given an algorithm to check implication Is there a more calculational approach to producing proofs? – Weakest precondition calculus (WP) – Strongest postcondition calculus (SP) WP/SP provide limits for Hoare triples WP helps prove that Hoare logic is relatively complete 40

Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,   1 *  ’ then  ’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 41

Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,   1 *  ’ then  ’  Q 42 P C(P)C(P) Q C wlp(C, Q) C(wlp(C, Q)) Give an example where this gap exists

Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is  ’  sp(P, C) if and only if there exists  such that   P and  C,   1 *  ’ Propositions: 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 43

Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 44

Is Hoare logic complete? Extensional approach: yes Proving  p { P } C { Q } implies  p { P } C { Q } boils down to proving  p { wlp(C, Q) } C { Q } See proof in book 45

Is Hoare logic complete? Intentional approach: no Gödel’s incompleteness theorem Only as complete as the logic of assertions Requires that we are able to prove the validity of assertions that occur in the rule of consequence Relative completeness of Hoare logic (Cook 1974) 46

Weakest (liberal) precondition calculus 47 By Vadim Plessky ( [see page for license], via Wikimedia Commons

Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 48

Calculating wlp of a loop 49 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent. Also they are provably equivalent (prove it) while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant: a fixpoint of the right-hand side transformer

Example: write a specification 50 { ? } while (timer  0) do timer := timer – 1 { ? } “The program should count to zero”

Example: prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equivalent to (timer  0  wlp(timer:=timer-1, timer  0))  (timer=0  timer=0) Start from right hand side and get left hand side (timer  0  wlp(timer:=timer-1, timer  0))  (timer=0  timer=0) = (timer  0  (timer  0)[timer-1/timer])  (timer=0  timer=0) = (timer  0  timer-1  0)  (timer=0  timer=0) = timer>0  timer=0 = timer  0 51 { timer  0 } while (timer  0) do timer := timer – 1 { timer = 0 }

A variant of wlp for loops Parametric in the loop invariant wlp( while b do {  } S, Q) =  where {b   } S {  } and  b    Q 52

wlp rules 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do {  } S, Q) =  where {b   } S {  } and  b    Q 53

Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) 54

Strongest postcondition calculus 55 By Vadim Plessky ( [see page for license], via Wikimedia Commons

Strongest postcondition rules 1.sp( skip, P) = P 2.sp( x := a, P) =  v. x=a[v/x]  P[v/x] 3.sp(S 1 ; S 2, P) = sp(S 2, sp(S 1, P)) 4.sp( if b then S 1 else S 2, P) = sp(S 1, b  P)  sp(S 2,  b  P) 5.sp( while b do {  } S, P) =    b where {b   } S {  } and P   b   56

Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?} 57 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ] The value of x in the pre-state

Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on Next lecture we will see a variant of this rule 58 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ] meaning: {x=z+1}

See you next time 59